BFF token-handler cookie model; SPA routes use get_current_user_from_session; API-key and voice modes are exceptions.
